Ticketebo's General Data Protection Regulation (GDPR) Policy
What is GDPR?
The General Data Protection Regulation (“GDPR”) came into effect in Europe on 25 May 2018. GDPR provides citizens of the EU with additional data protection measures, designed to protect individuals’ rights and freedoms. If an organisation collects, transmits, hosts, analyses or processes the personal data of EU citizens, they are required to comply with GDPR.
The United Kingdom has announced that it will continue to follow the GDPR after Brexit, and so Ticketebo Ltd will be bound by these regulations moving forwards through the Brexit negotiations. The Data Protection Act 2018 is in effect one and the same thing as The General Data Protection Regulation which we adhere to.
When an organisation collects, uses or transfers personal information for its own purposes, that organisation is deemed to be a "controller" of that information and is therefore primarily responsible for meeting the legal requirements under data protection law.
When an organization processes information on behalf of a third party (for example, Customer data processed by Ticketebo Ltd on behalf of its Event Organisers), that organization is deemed to be a "processor" of the information.
Is Ticketebo Ltd a ‘Controller’ or ‘Processor’?
Under GDPR, Ticketebo is considered to be both a Data Controller and a Data Processor. Where Event Organisers create an account with Ticketebo, Ticketebo becomes a data controller over the personal data the Event Organiser provides in the process of setting up their account. Ticketebo will also be the data controller over the personal data provided by Customers, Visitors and Subscribers in the use of Ticketebo services.
Event Organisers are also considered to be Data Controllers when collecting information from Customers.
In providing ticketing and registration services to Event Organisers, Ticketebo acts as a data processor for a Customer’s personal data. This includes facilitating emails to the Customer on behalf of the Event Organiser, processing payments or providing event reports and tools to Event Organisers to monitor their sales. In this case, the relevant controller of the personal information (i.e., the Event Organiser) will be jointly responsible for meeting the legal requirements.
What is Ticketebo doing to comply with GDPR?
Ticketebo is committed to complying with GDPR and relevant data protection laws.
Compliance with GDPR requires a partnership between Ticketebo Ltd and our Event Organisers in their use of our service. As Event Organisers are also classified as Data Controllers under GDPR, we work closely with them to help them to comply with the regulation as well.
Here is a brief summary of some of the key areas that we focus on in order to be compliant with The GDPR
Transparency- We will always be clear and open about how and when we use your personal data.
Data protection by design and by default - we are ensuring that our services collect, store and process data in ways that prioritise data protection and privacy. We also only hold data for as long as it is necessary. In the UK this means abiding by the accounting regulations that stipulate we must be able to hold records for 7 years.
Consent – The GDPR clearly states that we must ask permission to store your personal data for Marketing purposes, and to share with third parties. Unlike many of our competitors, we never sell, or share personal information with third parties that want to sell services or products to you. The only third parties that we share your data with are:-
The organisers of the Event that you have bought tickets for. (They need this information to be able to contact you, should the need arise prior to an event, for example to share Health and Safety information with you, or if an event is materially altered.(But they are not allowed to send you marketing material unless you have ‘opted in’ when asked during your ticket purchase process).
Our payment processing partners, in order for your credit/debit card to be processed when you buy a ticket.
Any legally required sharing. (EG The police, investigating fraud.)
How can Event Organisers prepare for GDPR?
As both Ticketebo and Event Organisers are subject to GDPR, we have prepared a Data Processing Addendum (“DPA”) that outlines the legal relationship between the Event Organiser (as the data controller) and Ticketebo (as the data processor). The DPA is incorporated in our Event Organiser Terms and Conditions.
The steps Ticketebo has implemented will make it easier for Event Organisers to comply with GDPR. Ticketebo encourages Event Organisers to adhere to GDPR by reviewing their privacy and data security processes, and ensuring that they have a set of terms and conditions to apply to their events linked to Ticketebo. Ticketebo cannot be held responsible for an Event Organiser failing to adhere to their responsibilities under GDPR.
In regards to data security, Ticketebo will work together with the Event Organiser in the event that we discover a data breach pursuant to the DPA and our data breach policy.
GDPR outlines certain ‘rights’ that individuals have in terms of their personal data.
The right to have personal data erased (The right to be forgotten)
The right to have personal data rectified
The right to access the personal data they provided to Ticketebo during bookings
The right to request Ticketebo transmits the personal data it holds about them to another source
The right to restrict the processing of their data
Individuals also have the right to object to processing of their personal data. In these instances, the controller shall no longer process the data unless they can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. For example, if you have bought a ticket through Ticketebo, you cannot request that this transaction is deleted. (It has happened and cannot ‘un-happen’). However, you can request that Ticketebo stops sending you marketing material at any time. You have a ‘right to be forgotten’, from this perspective. In addition, if we or someone, believes you may be involved in fraud (eg selling illegal duplicate tickets) you do not have the right to be forgotten, as this information will be passed to the police.
In regards to direct marketing, Event Organisers and Subscribers can withdraw their consent at any time by clicking the ‘unsubscribe’ link in our emails. Alternatively, Event Organisers and Subscribers may contact firstname.lastname@example.org to request to be manually unsubscribed.
To access the personal data, change personal data, or request to have your data deleted that you have provided to Ticketebo during bookings please email email@example.com
In order to exercise your rights under GDPR, please contact firstname.lastname@example.org
For more information please contact our Data Protection Officer at email@example.com